Identity Manager 4.0.2 Oracle E-Business Suite Driver ...

Driver for Oracle E-Business Suite (User Management, HR, and TCA)Implementation GuideFebruary 2014

www.netiq.com/documentation

Legal Notice

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON‐DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON‐DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ʺAS ISʺ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.

For purposes of clarity, any module, adapter or other similar material (ʺModuleʺ) is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non‐disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202‐4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non‐DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

© 2013 NetIQ Corporation and its affiliates. All Rights Reserved.

For information about NetIQ trademarks, see https://www.netiq.com/company/legal/.

https://www.netiq.com/company/legal/

Contents

About this Book and the Library 5About NetIQ Corporation 7

1 Introduction 91.1 Driver Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.2 How the Drivers Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2.1 Publisher Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111.2.2 Subscriber Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121.2.3 Associations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.3 Supported Oracle Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131.4 Key Driver Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.4.1 Password Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131.4.2 Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131.4.3 Object Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131.4.4 Driver Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131.4.5 Supported Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.5 Checklist for Enabling User Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2 Installing the Driver Files 152.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152.2 Installing the Driver Shim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152.3 Installing the PL/SQL APIs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.4 Updating the PL/SQL APIs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.5 Creating a SOAP Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.6 Subscribing to the Business Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3 Creating a New Driver Object 193.1 Creating the Driver Object in Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.1.1 Importing the Current Driver Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193.1.2 Installing the Driver Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203.1.3 Configuring the Driver Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253.1.4 Deploying the Driver Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253.1.5 Starting the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.2 Activating the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4 Securing Communication 274.1 Configuring the Publisher Channel Using the KMO File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274.2 Configuring the Publisher Channel Using the Keystore File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284.3 Configuring the Subscriber Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5 Managing the Driver 33

6 Troubleshooting the Driver 356.1 Troubleshooting Driver Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Contents 3

4 Iden

6.2 Troubleshooting Driver Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356.2.1 NDSTrace shows http connection protocol on the Publisher channel . . . . . . . . . . . . . . . . . 356.2.2 OutOfMemory Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356.2.3 The Telephone Number attribute values are not deleted on the Subscriber channel . . . . . 356.2.4 The Authentication Password is prompted when the Publisher channel is disabled

during driver creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366.3 Increasing the memory heap size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

7 Schema Mapping 37

A Driver Properties 39A.1 Driver Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

A.1.1 Driver Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40A.1.2 Driver Object Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40A.1.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40A.1.4 Startup Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41A.1.5 Driver Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41A.1.6 Global Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

A.2 Global Configuration Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43A.2.1 Password Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44A.2.2 (Conditional) Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45A.2.3 Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45A.2.4 Account Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48A.2.5 Managed System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

B Trace Levels 51

tity Manager 4.0.2 Oracle E-Business Suite Driver Implementation Guide

About this Book and the Library

This guide introduces Identity Manager Administrators to the process of integrating identity information stored in Identity Manager with the User Management, HR, and TCA modules of the Oracle Business Suite.

Intended AudienceThis book provides information for individuals responsible for understanding administration concepts and implementing a secure, distributed administration model.

Other Information in the LibraryThe library provides the following information resources:

identity Manager Installation Guide Provides detailed planning and installation information.

Specific Driver Guides Provide implementation information about Identity Manager drivers.

About this Book and the Library 5

6 Identity Manager 4.0.2 Oracle E-Business Suite Driver Implementation Guide

About NetIQ Corporation

We are a global, enterprise software company, with a focus on the three persistent challenges in your environment: Change, complexity and risk—and how we can help you control them.

Our ViewpointAdapting to change and managing complexity and risk are nothing new

In fact, of all the challenges you face, these are perhaps the most prominent variables that deny you the control you need to securely measure, monitor, and manage your physical, virtual, and cloud computing environments.

Enabling critical business services, better and faster We believe that providing as much control as possible to IT organizations is the only way to enable timelier and cost effective delivery of services. Persistent pressures like change and complexity will only continue to increase as organizations continue to change and the technologies needed to manage them become inherently more complex.

Our PhilosophySelling intelligent solutions, not just software

In order to provide reliable control, we first make sure we understand the real‐world scenarios in which IT organizations like yours operate — day in and day out. Thatʹs the only way we can develop practical, intelligent IT solutions that successfully yield proven, measurable results. And thatʹs so much more rewarding than simply selling software.

Driving your success is our passion We place your success at the heart of how we do business. From product inception to deployment, we understand that you need IT solutions that work well and integrate seamlessly with your existing investments; you need ongoing support and training post‐deployment; and you need someone that is truly easy to work with — for a change. Ultimately, when you succeed, we all succeed.

Our SolutionsIdentity & Access Governance Access Management Security Management Systems & Application Management Workload Management Service Management

About NetIQ Corporation 7

Contacting Sales SupportFor questions about products, pricing, and capabilities, contact your local partner. If you cannot contact your partner, contact our Sales Support team.

Contacting Technical SupportFor specific product issues, contact our Technical Support team.

Contacting Documentation SupportOur goal is to provide documentation that meets your needs. If you have suggestions for improvements, click Add Comment at the bottom of any page in the HTML versions of the documentation posted at www.netiq.com/documentation. You can also email Documentation‐[email protected]. We value your input and look forward to hearing from you.

Contacting the Online User CommunityQmunity, the NetIQ online community, is a collaborative network connecting you to your peers and NetIQ experts. By providing more immediate information, useful links to helpful resources, and access to NetIQ experts, Qmunity helps ensure you are mastering the knowledge you need to realize the full potential of IT investments upon which you rely. For more information, visit http://community.netiq.com.

Worldwide: www.netiq.com/about_netiq/officelocations.asp

United States and Canada: 1-888-323-6768

Email: [email protected]

Web Site: www.netiq.com

Worldwide: www.netiq.com/support/contactinfo.asp

North and South America: 1-713-418-5555

Europe, Middle East, and Africa: +353 (0) 91-782 677

Email: [email protected]

Web Site: www.netiq.com/support


http://www.netiq.com/about_netiq/officelocations.asp

mailto:[email protected]

http://www.netiq.com


http://www.netiq.com/documentation



http://community.netiq.com

http://community.netiq.com

http://www.netiq.com/support/contactinfo.asp

http://www.netiq.com/support

1 1Introduction

The Identity Manager Drivers for Oracle E‐Business Suite synchronize users between the Identity Vault and the Oracle E‐Business Suite. Oracle E‐Business Suite (EBS) is a comprehensive suite of integrated, global business applications that includes modules for finance, human resources, supply chain management, customer relationship management, and business intelligence. There are mainly three types of user records in the Oracle EBS system. They are:

EBS User Record: Represents a record in the FND_USER table in the Oracle EBS system. To log in to the Oracle EBS system, a user must have a record in the FND_USER table.HRMS/PERSON Record: Represents a Human Resources Management System (HRMS) record in the Oracle EBS system. Some applications in the Oracle EBS system; for example, iExpense require a user to have a HRMS (Person) record. The Person record can be of different types like Employee, Part‐time worker, Contractor, and so on. Person records are stored in the PER_ALL_PEOPLE_F table in the Oracle EBS system.Customer/Vender Record: Represents a TCA record in the HZ_PARTIES table in the Oracle EBS system. Some applications in the Oracle EBS system such as iStore, iProcurement require users to have a Trading Community Architecture (TCA) record that are representatives or employees of customers and vendors.

There are three different Identity Manager drivers for synchronizing Oracle E‐Business Suite (EBS) users with the Identity Vault. They are:

Driver for User ManagementDriver for HRDriver for TCA

Each driver has a definite purpose and allows administrators to propagate user data among Oracle systems and other business applications and databases without the need for custom integration solutions. Administrators can decide what data to share and how to present data within their enterprises. The drivers offer the following features:

Automated, rule‐based user creation, modification, and deletion of user data with the Oracle EBS systemBidirectional attribute synchronizationBasic password set and synchronizationSupport for standard Identity Manager 4.0 features such as entitlements, identity tracking, and reporting

Table 1‐1 distinguishes features of each driver:

Introduction 9

Table 1-1 Driver Features

To use all the three drivers together, you must use entitlements.

1.1 Driver ConceptsData flows between the Oracle EBS system and the Identity Vault by using the Publisher and Subscriber channels.

The Publisher channel does the following:

Reads events from the Oracle EBS system on the server that the driver shim is connecting to.Submits that information to the Identity Vault.

The Subscriber channel does the following:

Watches for additions and modifications to the Identity Vault objects. Makes changes to the Oracle EBS system to reflect those changes.

Through the use of filters and policies, the driver can be configured to control and manage what changes are detected and sent to the Oracle EBS system.

The driver uses SOAP (Simple Object Access Protocol) to exchange data between Identity Manager and a Web service. SOAP is an XML‐based protocol for exchanging messages. It defines the message exchange but not the message content. The driver supports SOAP 1.1. SOAP follows the HTTP request/response message model, which provides SOAP request parameters in an HTTP request and SOAP response parameters in an HTTP response.

Driver for User

Management

Driver for User Management with HR Foundation

Driver for User Management with TCA Foundation

Synchronizes attributes between the Oracle EBS system and the Identity Vault.



Creates FND_USER records in the Oracle EBS system for the Identity Manager users and grants them roles and responsibilities.

Creates basic HRMS users in the PER_ALL_PEOPLE_F table.

Creates FND_USER records in the Oracle EBS system for the Identity Manager users and grants them roles and responsibilities.

Creates basic TCA records in the HZ_PARTIES table and links them to the FND_USER table records. For example, the PERSON_PARTY_ID column in the FND_USER table is linked with the PARTY_ID column of the HZ_PARTIES table.


1.2 How the Drivers WorkThe driver is a bidirectional synchronization product between the Oracle EBS system and the Identity Vault. This framework uses XML and XSLT to provide data and event transformation capabilities that convert Identity Vault data and events into Oracle data and vice‐versa.

The Identity Vault acts as a hub, with other applications and directories publishing their changes to it. The Identity Vault then sends changes to the applications and directories that have subscribed for them. This results in two main flows of data: the Publisher channel and the Subscriber channel.

Section 1.2.1, “Publisher Channel,” on page 11Section 1.2.2, “Subscriber Channel,” on page 12Section 1.2.3, “Associations,” on page 12

1.2.1 Publisher ChannelThe Oracle Workflow Business Event System (BES) is an application service that uses Oracle Advanced Queuing (AQ) technology to communicate business events among different Oracle systems. The BES consists of the Event Manager and Workflow that process event activities. The BES can propagate Add, Delete, and Modify event data to the Identity Vault. Only events specifically selected by the system administrator are transported from the Oracle EBS system to the PL/SQL APIs. The PL/SQL APIs (installed in the Oracle EBS system as part of the driver installation) handle the parsing of the events and read the appropriate data fields specified by the driver configuration, and provide secure transport of the data over an HTTP/HTTPS port to the Publisher channel. Figure 1‐1 shows the Publisher channel data flow from the Oracle EBS system to the Identity Vault.

Only the event attributes that have been specified in the driver Publisher filter are published to the Identity Vault. The Publisher channel then submits XML‐formatted documents to the Identity Manager engine to publish them into the Identity Vault.

Figure 1-1 Publisher Channel Data Transfer

EBS Business Events

Oracle EBS Host

The driver addsor updates the data in theIdentity Vault.

SSLconnection

IdentityVault

Identity ManagerEngine

Remote LoaderService

Identity Manager Host

The driver filters and converts relevant data into XML format.

Notification of events toPL/SQL APIs.

CustomPL/SQL APIs

HTTPS Post

Identity ManagerRemote Loader

Identity ManagerDriver

The driver is configured to capture the changes which are not notified via business events.

XML Doc

Introduction 11

The business events are cached and stored into a database table (idmusrmgt.idm_events table) in the Oracle EBS system. To guarantee the delivery of events to the Identity Manger, the events remain in the idmusrmgt.idm_events table until they are successfully send to the Identity Vault. The Publisher channel uses a SOAP endpoint to poll the idmusrmgt.idm_events table for certain future events such as future add or delete events or modification of roles and responsibilities to the existing users, which are meant to be executed at a later time. A future date of when these events need to be executed is specified along with the events. Future events are immediately synchronized with the Identity Vault. The login attribute is disabled for the future events until when they are required to be operational.

1.2.2 Subscriber ChannelThe Subscriber channel receives XML‐formatted Identity Vault events from the Identity Manager engine. The driver uses the Web Service security (WSS) token for authentication and updates the idmusrmgt.idm_events table with the Identity Vault changes.

Figure 1-2 Subscriber Channel Data Transfer

For data to flow from the Identity Vault to the Oracle system, the driver uses the SOAP functions. By using Identity Manager and other Identity Manager drivers, the data can be shared with other business applications and directories. These other applications can add additional data, which in turn can be transferred back to the idmusrmgt.idm_events table using the SOAP service on the Subscriber channel.

1.2.3 AssociationsAssociations are created between the Oracle EBS system and the Identity Vault objects during the synchronization process. For the Oracle EBS user object, a unique 7‐digit number must be created. However, the Identity Vault and other applications do not need to share this same unique ID. Identity Manager allows various naming policies in an organization to be applied to objects by using the DirXML‐Association attribute.

The DirXML‐Association attribute is multivalued. Therefore, if Identity Manager is being used to synchronize an object among multiple applications, all of the object’s unique IDs (or associations) can be stored in this attribute on the Identity Vault object.

The unique ID association links objects from the Oracle EBS database to the corresponding objects in the Identity Vault. When an Add or Matching event occurs, the association is made. This association allows the driver to perform subsequent tasks on the appropriate object.

Oracle EBS HostIdentity Manager Host

XML Doc

SSL (WSS)connection

Identity ManagerRemote Loader

Identity ManagerDriver

SOAPEndpoint

OracleEBS API

CustomPL/SQL

FND_USER

The driver translates XML doc and adds, deletes, or modifies the data in Oracle EBS. The driver can run on the Oracle EBS host or remotely.

"FND_USER_PKG.CREATEUSER(), UPDATEUSER(), HR_EMPLOYEE_API.CREATE_EMPLOYEE() , UPDATE_PERSON() HZ_PARTY_V2PUB.CREATE_PERSON(),...etc"


The DirXML‐Associations field is stored on the Identity Vault object on the Identity Manager property page. The User ID of a user in the Oracle EBS system is used to create association for the User Management and TCA drivers. The Person ID of an employee is used to create association for the HR driver.

1.3 Supported Oracle VersionsThe driver supports the Oracle Version 12.1.1 and above.

1.4 Key Driver FeaturesThe following sections provide information about the standard driver features supported by the Oracle EBS drivers:

“Driver Packages” on page 13“Supported Operations” on page 14

1.4.1 Password SynchronizationThe Subscriber channel sets the password. Passwords are not synchronized on the Publisher channel. This means that passwords are synchronized from the Identity Vault to the Oracle EBS system, but not from the Oracle EBS system to the Identity Vault. This feature is not needed for the HR driver.

1.4.2 EntitlementsThe Oracle EBS drivers driver implements entitlements. You can use entitlements to grant or revoke rights to an account in the driver. You should enable entitlements for the drivers only if you plan to use the User Application or Role‐Based Entitlements with the drivers. For more information about entitlements, see the Identity Manager 4.0.2 Entitlements Guide.

NOTE: The employee entitlement is the only entitlement supported by the HR driver.

1.4.3 Object SynchronizationThe Oracle EBS drivers synchronize users on the Subscriber and Publisher channels.

1.4.4 Driver PackagesThe Identity Manager content is delivered in packages. The packages create a driver with a set of policies suitable for synchronizing data with the Identity Vault. The following packages provide basic functionality for configuring the Oracle EBS drivers:

Common PackagesNOVLEBSATRKNOVLEBSAENTNOVLEBSENTNOVLEBSMSI

Introduction 13

https://www.netiq.com/documentation/idm402/pdfdoc/idm_entitlements/idm_entitlements.pdf#bookinfo

NOVLPWDSYNCNOVLEBSPWD

Packages for the User Management DriverNOVLORAUBASENOVLORAUDCFG

Packages for the HR DriverNOVLORAHBASE NOVLORAHDCFG NOVLORAHENTNOVLORAHATRK

Packages for the TCA DriverNOVLORATBASE NOVLORATDCFG

1.4.5 Supported OperationsThe Oracle EBS drivers support Add, Modify, Delete, Rename, Move, Future Add or Delete, Migrate, and Password Synchronization operations on the user objects on the Subscriber channels. All of them except Password Synchronization are supported on the Publisher channel.

1.5 Checklist for Enabling User SynchronizationUse the following checklist to verify that you complete the following tasks in order to have a complete solution with the driver.

Ensure that you have installed the software mentioned in Section 2.1, “Prerequisites,” on page 15.Install the driver object. For more information, see Chapter 2, “Installing the Driver Files,” on page 15.Create and configure the driver object. For more information, see Chapter 3, “Creating a New Driver Object,” on page 19.Create a secure connection between Identity Manager and the Oracle EBS system. For more information, see Chapter 4, “Securing Communication,” on page 27.


2 2Installing the Driver Files

You can install Oracle EBS drivers on multiple systems and platforms. To verify the system requirement list, see “System Requirements” in the Identity Manager 4.0.2 Integrated Installation Guide.

To install the drivers, you first need to install the driver files, install the driver packages, and modify the driver configuration to suit your environment. This section tells you how to install the driver files. For information on installing and configuring the packages, see Chapter 3, “Creating a New Driver Object,” on page 19.

Section 2.1, “Prerequisites,” on page 15Section 2.2, “Installing the Driver Shim,” on page 15Section 2.3, “Installing the PL/SQL APIs,” on page 16Section 2.4, “Updating the PL/SQL APIs,” on page 17Section 2.5, “Creating a SOAP Endpoint,” on page 17Section 2.6, “Subscribing to the Business Events,” on page 18

2.1 PrerequisitesIdentity Manager 4.0 or laterOracle 12.1.1

2.2 Installing the Driver Shim You can install the Oracle EBS driver(s) shim in the following ways:

On a local machine: Install the Oracle EBS driver files on the Identity Manager server and connect to the Oracle EBS system using the SOAP endpoint. For information on installing the Identity Manager server, see “Installing Identity Manager” in the Identity Manager 4.0.2 Integrated Installation Guide.On a remote machine: Install the Oracle EBS driver files on the Remote Loader. For information on installing the Remote Loader, see “Installing Identity Manager” in the Identity Manager 4.0.2 Integrated Installation Guide.

The files needed to install the driver are bundled in the NIdM_Driver_4.0.2_OracleEBS.zip file. The zipped file contains the driver shims and the PL/SQL scripts.

1 Locate the Oracle EBS driver files and execute them depending on your platform. Linux: install_linux.binSolaris: install_solaris.binWindows: install.exe

Installing the Driver Files 15

https://www.netiq.com/documentation/idm402/pdfdoc/idm_integrated_install/idm_integrated_install.pdf#bpo8wc2

https://www.netiq.com/documentation/idm402/pdfdoc/idm_integrated_install/idm_integrated_install.pdf#Front

https://www.netiq.com/documentation/idm402/pdfdoc/idm_integrated_install/idm_integrated_install.pdf#bpo8y7u



https://www.netiq.com/documentation/idm402/pdfdoc/idm_integrated_install/idm_integrated_install.pdf#bpo8y7u



The following tables show the default paths where the driver files are placed on an Identity Manager server or on a Remote Loader server.

Table 2-1 Locations for JAR Files: Identity Manager Server

Table 2-2 Locations for JAR Files: Remote Loader

Location of Log FilesLinux/Solaris: "$HOME/Identity Manager Driver for Oracle EBS/Identity_Manager_Driver_for_Oracle_EBS_InstallLog.log"

Windows: Identity Manager Server: <MetadirectoryInstall_Location>\lib\Identity_Manager_Driver_for_Oracle_EBS_InstallLog.log

Remote Loader: <Remote Loader Install_Location>\Identity_Manager_Driver_for_Oracle_EBS_InstallLog.log

2.3 Installing the PL/SQL APIsThe PL/SQL scripts handle parsing of events in the Oracle EBS database. The PL/SQL scripts configure database objects such as tables and procedures for data synchronization with the driver. If you don’t configure database objects, the data communication may not work properly. Locate the install_EBS.sql PL/SQL scripts from the NIdM_Driver_4.0.2_OracleEBS.zip file. You need to install them in the Oracle EBS system as part of the driver installation.

To create packages for Publisher, do the following:

1 Create a new package, IDM_DRIVER, for the Publisher channel and save it. 2 Add publisher.pls to it and save the package.3 Right‐click the package, select create body and paste the contents of the publisher.pkb file, then

save the package.

Repeat this procedure for creating the IDM_DRIVER_S package for the Subscriber channel and add subsciber.pls and subsciber.pkb files to the package and save it.

If the deployment fails, go to the /u01/app/VIS/inst/apps/VIS_sles11sp164-ora/soa/PLSQL/4723/SUBSCRIBE_EVENTS.wsdl file and remove the line, IRepOverloadSeq="1" under the operation tag, then save it and redeploy the SOAP service using the GUI method.

Platform Directory Path

Solaris or Linux /opt/novell/eDirectory/lib/dirxml/classes

Windows C:\novell\NDS\lib

Platform Directory Path

Solaris or Linux /opt/novell/eDirectory/lib/dirxml/classes

Windows C:\novell\RemoteLoader\lib


2.4 Updating the PL/SQL APIsIf you have already installed the PL/SQL APIs and need to update them, run the following steps:

NOTE: This procedure is applicable to Oracle EBS driver 402 Patch 1 and higher versions.

1 Use the Oracle SQL developer tool to log in to the Oracle database.2 Run the install_EBS.sql command.3 In the left panel, navigate to Packages and search for IDM_DRIVER.4 Replace the header with Publisher.pls and body with Publisher.pkb and save the package.5 In the left panel, navigate to Packages and search for IDM_DRIVER_S.6 Replace the header with Subscriber.pls and body with Subscriber.pkb and save the

package.

2.5 Creating a SOAP EndpointThe driver uses a SOAP endpoint to synchronize the Identity Manager events in Subscriber channel and poll the Oracle database for fetching events.

1 Create a new SOAP endpoint. Run the following shell script on the Oracle EBS server:

export FND_TOP=/u01/app/VIS/apps/apps_st/appl/fnd/12.0.0export APPL_TOP=/u01/app/VIS/apps/apps_st/appl. $APPL_TOP/APPS_instancename_hostname-ora.env#. /configure_EBS_UM.sh

NOTE: Currently, this script is available only for UNIX platforms.

You must specify appropriate values for FND_TOP and APPL_TOP variables in the commands.2 Using a Web browser, log into the Oracle EBS system as sysadmin user.3 On the Dashboard, click the Integrated SOA Gateway link.4 Click Integration Repository under the Integrated SOA Gateway tab, then change the view to By option to Product Family. The Novell Identity Manager Suite displays on the screen.

5 Expand the view, click Novell Identity Manager Suite > Driver > Subscriber and Identity Manager Subscriber.

6 Click Generate WSDL, then click Deploy.7 Select the Subscribe Identity Manager Events method under Procedures and Functions, then click Create Grant.

8 Select the user as sysadmin and click Apply.

On executing this command, if you get the error message, "Can't locate Class/MethodMaker.pm in @INC (@INC contains:..." , you need to install the Perl modules. For installation instructions, see the Oracle E‐Business Suite Integrated SOA Gateway Implementation Guide (http://docs.oracle.com/cd/E18727_01/doc.121/e12169/T511175T543269.htm).

Installing the Driver Files 17

http://docs.oracle.com/cd/E18727_01/doc.121/e12169/T511175T543269.htm

2.6 Subscribing to the Business EventsFor the driver to subscribe to the business events from the Oracle EBS system, the driver must log in to the Oracle EBS system through an EBS account.

1 Using a Web browser, log into the Oracle EBS system as sysadmin user.2 On the Dashboard, click the Workflow Administrator Web Applications link.3 Click Business Events under the Administrator Workflow tab.4 Type oracle.apps.fnd.user.insert in the Search text field, then click Go.5 Click the Subscription link of the search result.6 Click Create Subscription and specify the following information, then click Next.

system: Click Search, then browse to the correct system name you want to include. action type: Specify action type as custom.

7 Specify the following information and click Apply:PL/SQL Rule Function: Enter the IDM_DRIVER.PUBLISH_EVENT_TO_IDM function.Owner Name: Specify the name of the owner as PER.Owner Tag: Specify the tag of the owner as PER.

8 Repeat Step 1 to Step 7 for oracle.apps.fnd.user.update business events. When a business event occurs in the Oracle EBS system, the PL/SQL API handles the capturing of the event data and performs an HTTP post to the driver.

9 Provision users in the Oracle EBS system. 9a Install a custom PL/SQL.

The PL/SQL API processes events that are sent from Identity Manager via the SOAP endpoint.

9b Create a SOAP endpoint using IREP of the Oracle EBS system. This PL/SQL executes the appropriate SQL API based on the request it receives from the Identity Manager.


3 3Creating a New Driver Object

After the Oracle EBS driver files are installed on the server where you want to run the drivers (see Chapter 2, “Installing the Driver Files,” on page 15), you can create each driver object in the Identity Vault. You do so by installing the driver packages and then modifying the driver configuration to suit your environment. The following sections provide instructions:

Section 3.1, “Creating the Driver Object in Designer,” on page 19Section 3.2, “Activating the Driver,” on page 26

3.1 Creating the Driver Object in DesignerYou create each driver by installing the driver packages and then modifying the configuration to suit your environment. After you create and configure the driver object, you need to deploy it to the Identity Vault and start it.

Section 3.1.1, “Importing the Current Driver Packages,” on page 19Section 3.1.2, “Installing the Driver Packages,” on page 20Section 3.1.3, “Configuring the Driver Object,” on page 25Section 3.1.4, “Deploying the Driver Object,” on page 25Section 3.1.5, “Starting the Driver,” on page 26

3.1.1 Importing the Current Driver PackagesThe driver packages contain the items required to create a driver, such as policies, entitlements, filters, and Schema Mapping policies. These packages are only available in Designer. You can upgrade any package that is installed if there is a newer version of the package available. It is recommended to have the latest packages in the Package Catalog before creating a new driver object. For more information on upgrading packages, see “Upgrading Installed Packages” in the Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide.

To verify that you have the most recent version of the driver packages in the Package Catalog:

1 Open Designer.2 In the toolbar, click Help > Check for Package Updates.3 Click OK to update the packages

orClick OK if the packages are up‐to‐date.

4 In the Outline view, right‐click the Package Catalog.5 Click Import Package.

Creating a New Driver Object 19

https://www.netiq.com/documentation/idm402/pdfdoc/designer_admin/designer_admin.pdf#packmanupgrade

https://www.netiq.com/documentation/idm402/pdfdoc/designer_admin/designer_admin.pdf#Front

https://www.netiq.com/documentation/idm402/pdfdoc/designer_admin/designer_admin.pdf#Front

6 Select any Oracle EBS driver packagesorClick Select All to import all of the packages displayed.By default, only the base packages are displayed. Deselect Show Base Packages Only to display all packages.

7 Click OK to import the selected packages, then click OK in the successfully imported packages message.

8 After the current packages are imported, continue with Section 3.1.2, “Installing the Driver Packages,” on page 20.

3.1.2 Installing the Driver PackagesAfter you have imported the current driver packages into the Package Catalog, you can install the driver packages to create a new driver.

1 In Designer, open your project.2 In the Modeler, right‐click the driver set where you want to create the driver, then click New > Driver.You need to do this for each driver you want to create.

3 Depending on the driver you want to create, select one of the following and then click Next:Oracle EBS User Management BaseOracle EBS HR BaseOracle EBS TCA Base

IMPORTANT: Run the following steps for each driver you want to create.

4 Select the optional features to install for the driver, then click Next. All options are selected by default depending on the driver you choose to install. The options are:Default Configuration: These packages contain the default configuration information for the Oracle EBS driver. Always leave this option selected.Password Synchronization: These packages contain the policies required to enable password synchronization. Leave this option selected if you want to synchronize passwords between the Identity Vault and the Oracle EBS system.Entitlements: These packages contain the policies and entitlements required to enable the driver for account creation and management with entitlements. For more information, see the Identity Manager 4.0.2 Entitlements Guide.




Data Collection: These packages contain the policies that enable the driver to collect data for reports. If you are using the Identity Reporting Module, verify that this option is selected. For more information, see the Identity Reporting Module Guide.Account Tracking: These packages contain the policies that enables account tracking information for reports. If you are using the Identity Reporting Module, verify that this option is selected. For more information, see the Identity Reporting Module Guide.

5 (Conditional) If there are package dependencies for the packages you selected to install, you must install these dependencies to install the selected packages. Click OK to install the Password Synchronization Notification package dependency.

6 (Conditional) Click OK to install the Common Settings package, if you have not installed any other packages into the selected driver set.

7 Click OK to install the Advanced Java Class package if you have not installed any other packages into the selected driver set.

8 (Conditional) Fill in the following fields on the Common Settings page, then click Next:


https://www.netiq.com/documentation/idm402/pdfdoc/reporting/reporting.pdf#front


The Common Settings page is displayed only if the Common Settings package is installed as a dependency.User Container: Select the Identity Vault container where the users are added if they don’t already existing in the Identity Vault. This value becomes the default value for all drivers in the driver set.If you want a unique location for this driver, set the value for all drivers on this page. After the driver is created, change the value on the driver’s Global Configuration Values page.

9 On the Driver Information page, specify a name for the driver, then click Next.10 Fill in the following fields to configure the driver, then click Next:

SOAP Endpoint URL of the Oracle EBS: Specify the URL of the Web service.EBS Username: Specify a name for the EBS user. This user should have appropriate privileges to access the SOAP endpoint.EBS Password: Specify a password for the EBS user.

11 On the Install Oracle EBS Base page, fill in the following fields for the Subscriber options, then click Next:Subscriber Channel Enabled: By default, the Subscriber channel is enabled. This means that the events are synchronized from Identity Manager to the Oracle EBS system. Fill the following fields for the Subscriber options:

Use SSL: By default, the SSL connection is enabled to secure communication between the driver and the Oracle EBS server. Specify No to not use SSL. For more information, see Chapter 4, “Securing Communication,” on page 27.If you use SSL, fill in the following parameters: Truststore File: Specify the name and path of the keystore file containing the trusted certificates used when the remote server is configured to provide server authentication. For example, c:\security\truststore. Leave this field empty when server authentication is not used. Set Mutual Authentication Parameters: Specify Yes to set mutual authentication information.

Keystore File: Specify the path and the name of the keystore file that contains the trusted certificates for the remote server to provide mutual authentication. For example, C:\security\keystore. Leave this field blank when mutual authentication is not used.Keystore Password: Specify the password for the keystore file. Leave this field blank when mutual authentication is not used.

Use Proxy: Specify Yes if you want to use the proxy connection.Proxy Host and Port: Specify the host address and the host port when a proxy host and port are used. For example: 192.10.1.3:18180. Or, if a proxy host and port are not used, leave this field empty. Proxy Username: Specify a name for the proxy connection.Proxy Password: Specify a password for the proxy connection.HTTP Errors to Retry: The HTTP error codes that return a retry status. The list of integers is separated by spaces. The error codes are: 307 404 408 503 504.

12 On the Install Oracle EBS Base page, fill in the following fields for the Publisher options, then click Next:


Publisher Channel Enabled: By default, the Publisher channel is enabled. The events are synchronized from the Oracle EBS system to the Identity Manager. Fill the following fields for the Publisher options:

Listening IP Address and Port: Specify the IP address of the server where this driver is installed and the port that this driver listens on. You can specify 127.0.0.1 if there is only one network card installed in the server. Choose an unused port number on your server. For example: 127.0.0.1:18180. The driver listens on this address for incoming requests, processes the requests, and returns a result.Authentication ID: Specify the authentication ID to validate incoming requests if Basic Authorization (on the HTTP header) is used.Authentication Password: Specify the password for the authentication ID.

NOTE: The Authentication Password prompts when the Publisher channel is disabled.

Use SSL: By default, the SSL connection is used for secure communication between the driver and the Oracle EBS server. Change this option to No if you don’t want to use SSL. When SSL is used, you need to fill the following parameters:

Select Certificate Store Mode: Select KMO if you are using eDirectory KMO for secure connection. Select Keystore to use the Java Keystore.KMO Name: If you select KMO, when this server is configured to accept HTTPS connections, this is the KMO name in eDirectory. The KMO name is the name before the ‐ in the RDN. Leave this field blank when a keystore file is issued or when HTTPS connections are not used.Keystore File: If you select Keystore, when this server is configured to accept HTTPS connections, this is the path and the name of the keystore file. For example; C:\security\keystore. Leave this field blank when a KMO name is used or when HTTPS connections are not used.Keystore Password: When this server is configured to accept HTTPS connections, this is the keystore file password. Leave this field blank when a KMO name is used or when HTTPS connections are not used.Server Key Alias: When this server is configured to accept HTTPS connections, this is the key alias. Leave this field blank when a KMO name is used or when HTTPS connections are not used.Server Key Password: When this server is configured to accept HTTPS connections, this is the key alias password (not the keystore password). Leave this field blank when a KMO name is used or when HTTPS connections are not used.

Require Mutual Authentication: When using SSL, it is common to do only server authentication. However, if you want to force both client and server to present certificates during the handshake process, select Required.Polling Interval in Seconds: Specify the number of seconds that the Publisher channel waits after running the polling script and sending Oracle EBS events to the Identity Manager engine. The default value is 60 seconds.Heartbeat Interval in Minutes: Specifies how often, in minutes, the driver shim contacts the Identity Manager engine when there has not been any traffic during the interval time. Specify 0 to disable the heartbeat. The default value is 1 minute.

13 Fill in the following fields for the Remote Loader information, then click Next:Connect To Remote Loader: Select Yes or No to determine if the driver will use the Remote Loader. For more information, see the Identity Manager 4.0.2 Remote Loader Guide.


https://www.netiq.com/documentation/idm402/pdfdoc/idm_remoteloader/idm_remoteloader.pdf#bookinfo

If you select No, skip to Step 16. If you select Yes, use the following information to complete the configuration of the Remote Loader:Host Name: Specify the IP address or DNS name of the server where the Remote Loader is installed and running.Port: Specify the port number for this driver. Each driver connects to the Remote Loader on a separate port. The default value is 8090. KMO: Specify the Key Name (for example, kmo=remotecert) of the Key Material Object (KMO) containing the keys and certificate to be used for SSL.If you used spaces in the certificate name, you need to enclose the KMO object nickname in single quotation marks.Remote Loader Password: Specify a password to control access to the Remote Loader. It must be the same password that is specified as the Remote Loader password on the Remote Loader.Driver Password: Specify a password for the driver to authenticate to the Identity Manager server. It must be the same password that is specified as the Driver Object Password on the Remote Loader.

14 (Conditional) On the Install Oracle EBS Account Tracking page, fill in the following fields for Account Tracking, then click Next:Realm: Specify the name of the realm, security domain, or namespace in which the account name is unique. You must set the Realm to the Oracle EBS Domain Name.

15 (Conditional) On the Install Oracle EBS Managed System Information page, fill in the following fields to define the ownership of the Oracle EBS system, then click Next:General Information

Name: Specify a descriptive name for the managed system.Description: Specify a brief description of the managed system.Location: Specify the physical location of the managed system.Vendor: Specify Oracle as the vendor of the managed system.Version: Specify the version of the managed system.

System Ownership Business Owner: Select a user object in the Identity Vault that is the business owner of the Oracle EBS system. This can only be a user object, not a role, group, or container.Application Owner: Select a user object in the Identity Vault that is the application owner of the Oracle EBS system. This can only be a user object, not a role, group, or container.This page is only displayed if you selected to install the Data Collection packages and the Account Tracking packages.

System Classification Classification: Select the classification of the Oracle EBS system. This information is displayed in the reports. The options are as follows:

Mission‐CriticalVitalNot‐CriticalOtherIf you select Other, you must specify a custom classification for the Oracle EBS system

Environment: Select the type of environment the Oracle EBS system provides. The options are as follows:

Development


TestStagingProductionOtherIf you select Other, you must specify a custom environment for the Oracle EBS system.

16 Review the summary of tasks that will be completed to create the driver, then click Finish.17 Continue with Section 3.1.3, “Configuring the Driver Object,” on page 25.

3.1.3 Configuring the Driver ObjectAfter importing the driver configuration file, you need to configure the driver object before it can run. Complete the following tasks to configure the driver:

Set Up a Secure HTTPS Connection: You can configure the connection between the driver and Oracle EBS to use a secure HTTPS connection rather than an HTTP connection. For instructions, see Chapter 4, “Securing Communication,” on page 27.Configure the driver parameters: There are many settings that can help you customize and optimize the driver. The settings are divided into categories such as Driver Configuration, Engine Control Values, and Global Configuration Values (GCVs). Although it is important for you to understand all of the settings, your first priority should be to configure the driver parameters located on the Driver Configuration page. For information about the driver parameters, see Section A.1.5, “Driver Parameters,” on page 41.Customize the driver policies and filter: Modify the driver policies and filter to implement your business policies.

Continue with Section 3.1.4, “Deploying the Driver Object,” on page 25.

3.1.4 Deploying the Driver ObjectAfter the driver object is created in Designer, it must be deployed into the Identity Vault.

1 In Designer, open your project.

2 In the Modeler, right‐click the driver icon or the driver line, then select Live > Deploy. 3 If you are authenticated to the Identity Vault, skip to Step 4, otherwise, specify the following

information, then click OK:Host: Specify the IP address or DNS name of the server hosting the Identity Vault.Username: Specify the DN of the user object used to authenticate to the Identity Vault.Password: Specify the user’s password.

4 Read the deployment summary, then click Deploy.5 Read the message, then click OK.6 Click Define Security Equivalence to assign rights to the driver.

The driver requires rights to objects within the Identity Vault. The Admin user object is most often used to supply these rights. However, you might want to create a DriversUser (for example) and assign security equivalence to that user.6a Click Add, then browse to and select the object with the correct rights.6b Click OK twice.

7 Click Exclude Administrative Roles to exclude users that should not be synchronized.


You should exclude any administrative User objects (for example, Admin and DriversUser) from synchronization.7a Click Add, then browse to and select the user object you want to exclude, then click OK. 7b Repeat Step 7a for each object you want to exclude, then click OK.

8 Click OK.

3.1.5 Starting the DriverWhen a driver is created, it is stopped by default. To make the driver work, you must start the driver and cause events to occur. Identity Manager is an event‐driven system, so after the driver is started, it won’t do anything until an event occurs.

To start the driver:

1 In Designer, open your project.

2 In the Modeler, right‐click the driver icon or the driver line, then select Live > Start Driver. 3 Continue with Section 3.2, “Activating the Driver,” on page 26.

3.2 Activating the DriverTo activate the Oracle EBS drivers, activate the Identity Manager engine, then activate the driver by using a separate Oracle EBS activation key. If you created the driver in a driver set that has not been activated, you must activate the Identity Manager engine and the driver within 90 days. Otherwise, the driver stops working.

For information on activation, refer to “Activating Novell Identity Manager Products” in the Identity Manager 4.0.2 Integrated Installation Guide.


https://www.netiq.com/documentation/idm402/pdfdoc/idm_integrated_install/idm_integrated_install.pdf#bpo948h



4 4Securing Communication

If the remote Web service you are accessing allows HTTPS connections, you can configure the driver to take advantage of this increased security.

IMPORTANT: Only certificates from a Java keystore are accepted. Make sure that the keystore for the certificates is a Java keystore.

The following sections provide instructions for creating a secure connection between Identity Manager and the Oracle EBS system:

Section 4.1, “Configuring the Publisher Channel Using the KMO File,” on page 27Section 4.2, “Configuring the Publisher Channel Using the Keystore File,” on page 28Section 4.3, “Configuring the Subscriber Channel,” on page 30

4.1 Configuring the Publisher Channel Using the KMO FileThe Publisher channel sends information from the Web service to the Identity Vault. To establish a secure connection for the Publisher channel, you need a keystore or a KMO containing a certificate issued by the certificate authority that signed the server’s certificate.

Oracle Wallet Manager is an application used to manage and edit security credentials in Oracle wallets. A wallet is a password‐protected container that stores authentication and signing credentials, including private keys, certificates, and trusted certificates, all of which are used by SSL for strong authentication. For more information, see Managing Wallets and Certificates.

1 Create a server certificate in iManager.:1a In the Roles and Tasks view, click Novell Certificate Server > Create Server Certificate.1b Browse to and select the server object where the Oracle EBS driver is installed.1c Specify a certificate nickname.1d Select Standard as the creation method, then click Next.1e Click Finish, then click Close.

2 Export a self‐signed certificate from the certificate authority in eDirectory:2a In the Roles and Tasks view, click Directory Administration > Modify Object.2b Select your tree’s certificate authority object, then click OK.

It is usually found in the Security container and is named something like TREENAME CA.Security.

2c Click Certificate > Self Signed Certificate., then click Export.2d When asked if you want to export the private key with the certificate, click No, then click

Next.

Securing Communication 27

http://docs.oracle.com/cd/B15904_01/core.1012/b13995/wallets.htm

2e Based on the client to be accessing the Web service, select either File in binary DER format or File in Base64 format for the certificate, then click Next.If the client uses a Java‐based keystore or trust store, then you can choose either format.

2f Click Save the exported certificate to a file.2g Click Save, then browse to a known location on your computer.2h Click Save, then click Close.2i Save the certificate in the Wallet Manager.

3 Start the Oracle Wallet Manager and create the certificate in the Oracle EBS system:UNIX: At the command line, enter owm.Windows: Select Start > Programs > Oracle‐HOME_NAME > Network Administration > Wallet Manager.

4 Import the certificate to the list of trusted certificates in the Oracle Wallet Manager:4a Click Operations > Import Trusted Certificate, the Import Trusted Certificate dialog appears.

Select the certificate created in Step 2 and click OK.A message informs you that the trusted certificate was successfully imported into the wallet. The trusted certificate appears at the bottom of the Trusted Certificates tree in the Oracle Wallet Manager main panel.

4b Save the wallet.4c Copy the Wallet Manager folder to a new location (for example, /opt/wallet).4d Execute the following SQL statements in the Oracle EBS system to configure the wallet:

insert into idmusrmgt.idm_config values('WALLET_PATH','file:/etc/ORACLE/WALLETS/pub')

insert into idmusrmgt.idm_config values('WALLET_PASSWORD','test123');

4e Add the required permissions for the folder in Step 4c, then click OK.5 Configure the Publisher channel to use the server certificate created in Step 1:

5a In iManager, in the Roles and Tasks view, click Identity Manager > Identity Manager Overview.5b Locate the driver set containing the Oracle EBS driver, then click the driver’s icon to display

the Identity Manager Driver Overview page.5c In the Identity Manager Driver Overview page, click the driver’s icon again, then scroll to

Publisher Settings.5d In the KMO name setting, specify the certificate nickname used in Step 1.

6 Click Apply, then click OK.

4.2 Configuring the Publisher Channel Using the Keystore File1 Create a keystore and its alias:

keytool -genkey -alias publisher10 -dname "cn=172.18.4.15:6060" -keypass novell -keystore publisherstore10.keystore -keyalg RSA

where publisher10 is the alias and publisherstore10.keystore is the name of the keystore. CN is the IP address of the Publisher listener (port). RSA algorithm is required for creating certificates in the Oracle wallets.

2 Self‐sign the certificate:


keytool -selfcert -alias publisher10 -dname "cn=172.18.4.15:6060" -keypass novell -keystore publisherstore10.keystore

3 Export the certificate to a file called publisher10.cert:

keytool -export -alias publisher10 -file publisher10.cert -keystore publisherstore10.keystore -storepass novell

4 Import the certificate in the Wallet Manager. 5 Start Oracle Wallet Manager.

UNIX: At the command line, enter owm.Windows: Select Start > Programs > Oracle‐HOME_NAME > Network Administration > Wallet Manager.

6 Add the certificate (publisher10.cert) to the list of trusted certificates in the Oracle Wallet Manager:6a Click Operations > Import Trusted Certificate, the Import Trusted Certificate dialog appears.

Select the certificate created in Step 3 and click OK. A message informs you that the trusted certificate was successfully imported into the wallet. The trusted certificate appears at the bottom of the Trusted Certificates tree in the Oracle Wallet Manager main panel.

6b Save the wallet.6c The trusted certificate appears at the bottom of the Trusted Certificates tree in the Oracle

Wallet Manager main panel.6d Copy the Wallet Manager folder to a new location (for example, /opt/wallet).6e Execute the following SQL statements in the Oracle EBS system to configure the wallet:

insert into idmusrmgt.idm_config values('WALLET_PATH','fi le:/etc/ORACLE/WALLETS/pub')

insert into idmusrmgt.idm_config values('WALLET_PASSWORD','test123');

6f Add the required permissions for the folder in Step 6d. 7 Configure the Publisher channel to use the server certificate created in Step 1:

7a In iManager, in the Roles and Tasks view, click Identity Manager > Identity Manager Overview.7b Locate the driver set containing the Oracle EBS driver, then click the driver’s icon to display

the Identity Manager Driver Overview page.7c In the Identity Manager Driver Overview page, click the driver’s icon again, then scroll to

Publisher Settings.7d In the Keystore File setting, specify the certificate nickname you used in Step 1.



4.3 Configuring the Subscriber ChannelThe Subscriber channel sends information from the Identity Vault to the Web service. To establish a secure connection for the Subscriber channel, you need a trust store containing a certificate issued by the certificate authority that signed the server’s certificate.

Oracle Wallet Manager is an application used to manage and edit security credentials in Oracle wallets. A wallet is a password‐protected container that stores authentication and signing credentials, including private keys, certificates, and trusted certificates, all of which are used by SSL for strong authentication. For more information, see Managing Wallets and Certificates.

1 If you are not using the default wallet.1a Change the SSLWallet property in the ssl.conf file to point the path of the wallet. For

example, if SSL wallet file is present in the /etc/ORACLE/WALLETS/pub location, enter this path in the ssl.conf file (for example, /u01/app/VIS/inst/apps/VIS_hostname/ora/10.1.3/conf/ssl.conf).

1b Add the path of the wallet in the sqlnet.ora file:

WALLET_LOCATION= (SOURCE= (METHOD=file) (METHOD_DATA= (DIRECTORY=/etc/ORACLE/WALLETS/pub)))

The sqlnet.ora file is present in the <ORACLE_HOME>/network/admin/<VIS_hostname> location.

2 Specify the HTTPS port as Listen in the ssl.conf file. For example, Listen 4443.3 Start the Oracle Wallet Manager and create the certificate in the Oracle EBS system:

UNIX: At the command line, enter owm.Windows: Select Start > Programs > Oracle‐HOME_NAME > Network Administration > Wallet Manager.

3a Add a certificate request to an Oracle wallet. Click Operations > Add Certificate Request.The Common Name must match with the hostname (donʹt include port). This is same as the Server Name entry in the httpd.conf file (for example, sles11sp164-ora.novell.com)

3b Export the certificate request created in 3a. Click Operations > Export Certificate Request, then save the exported file with a .csr extension (for example, subreq.csr).

3c (Conditional) Create a new Certificate Authority.

openssl req -new -x509 -keyout cakey.pem -out cacert.crt -days 365

Omit this step if you are using an existing Certificate Authority.3d Create the user certificate.

openssl x509 -req -in subreq.csr -CA cacert.crt -CAkey cakey.pem -CAcreateserial -days 365 > server.crt

3e Add the cacert.crt certificate to the wallet. Click Operations > Import Trusted Certificate.3f Add the server.crt certificate to the wallet. Click Operations > Import User Certificate.

3g Save the wallet, then restart the Oracle EBS system.If you are not using default wallet location, copy the wallet files to the custom location.

4 Download the certificate created in Step 3 from the Oracle EBS system.Export the certificate using the Oracle Wallet Manager.


http://docs.oracle.com/cd/B15904_01/core.1012/b13995/wallets.htm

OrType the URL in a Web browser and download the certificate. For example, type https://sles11sp164-ora.novell.com:4443.

5 Copy the certificate to the Identity Vault machine.6 Add the certificate to the trust store using the keytool.

keytool -import -file subscriber.cer -trustcacerts -noprompt -keystore dirxml.keystore -storepass novell

where subscriber.cer is the certificate downloaded in Step 4.7 Configure the Subscriber channel to use the keystore name (dirxml.keystore) created in

Step 6:7a In iManager, in the Roles and Tasks view, click Identity Manager > Identity Manager Overview.7b Locate the driver set containing the Oracle EBS driver, then click the driver’s icon to display

the Identity Manager Driver Overview page.7c On the Identity Manager Driver Overview page, click the driver’s icon again, then scroll to

Subscriber Settings.7d In the Truststore File setting, specify the path to the keystore created in Step 6.


NOTE: For setting up mutual authentication on the Subscriber channel, follow the instructions from Configuring the Publisher Channel Using the Keystore File and add the certificate to the keystore file in the Subscriber channel mutual authentication settings.


5 5Managing the Driver

As you work with the Oracle User driver, there are a variety of management tasks you might need to perform, including the following:

Starting, stopping, and restarting the driverViewing driver version informationUsing Named Passwords to securely store passwords associated with the driverMonitoring the driver’s health statusBacking up the driverInspecting the driver’s cache filesViewing the driver’s statisticsUsing the DirXML Command Line utility to perform management tasks through scriptsSecuring the driver and its informationSynchronizing objectsMigrating and resynchronizing data

Because these tasks, as well as several others, are common to all Identity Manager drivers, they are included in one reference, the NetIQ Identity Manager 4.0.2 Common Driver Administration Guide.

Managing the Driver 33

https://www.netiq.com/documentation/idm402/pdfdoc/idm_common_driver/idm_common_driver.pdf#Bktitle

6 6Troubleshooting the Driver

This section contains potential problems and error codes you might encounter while configuring or using the driver.

Section 6.1, “Troubleshooting Driver Processes,” on page 35Section 6.2, “Troubleshooting Driver Issues,” on page 35Section 6.3, “Increasing the memory heap size,” on page 36

6.1 Troubleshooting Driver ProcessesViewing driver processes is necessary to analyze unexpected behavior. To view the driver processing events, use DSTrace. You should only use it during testing and troubleshooting the driver. Running DSTrace while the drivers are in production increases the utilization on the Identity Manager server and can cause events to process very slowly. For more information, see “Viewing Identity Manager Processes” in the NetIQ Identity Manager 4.0.2 Common Driver Administration Guide.

6.2 Troubleshooting Driver IssuesThe following known issues exist for this version of the driver:

6.2.1 NDSTrace shows http connection protocol on the Publisher channelThe trace shows http when https has been setup on the Publisher channel.

6.2.2 OutOfMemory Error1If the driver shuts down with a java.lang.OutOfMemory error, do the following:

1 Try setting or increasing the DHOST_JVM_INITIAL_HEAP and DHOST_JVM_MAX_HEAP environment variables.

2 Restart the driver.3 Monitor the driver to make sure that the variables provide enough memory.

For more information, see “Configuring Java Environment Parameters” in the NetIQ Identity Manager 4.0.2 Common Driver Administration Guide.

6.2.3 The Telephone Number attribute values are not deleted on the Subscriber channel

Troubleshooting the Driver 35

https://www.netiq.com/documentation/idm402/pdfdoc/idm_common_driver/idm_common_driver.pdf#b1rc1vm





https://www.netiq.com/documentation/idm402/pdfdoc/idm_common_driver/idm_common_driver.pdf#bg0n8f8

6.2.4 The Authentication Password is prompted when the Publisher channel is disabled during driver creation

6.3 Increasing the memory heap sizeThe oafm module handles Webservices in the Oracle EBS system. To increase the memory heap size,

1 Go to the opmn.xml file in the /u01/app/VIS/inst/apps/VIS_sles11sp164-ora/ora/10.1.3/opmn/conf directory and search for oafm <process-type> id.

2 Edit the start‐parameters and stop‐parameters. Increase the Xmx to 2048, Xms to 1024, and MaxPermSize to 512.


7 7Schema Mapping

The policies and filters included in the driver packages provide bidirectional creation, deletion, and modification of user information in the Identity Vault and the Oracle EBS system. The driver is configured to synchronize information from the Identity Vault to the Oracle EBS system (Subscriber channel) and from the Oracle EBS system to the Identity Vault (Publisher channel). You can modify the policies and the filter to work with your specific business environment.

The Schema Mapping policy is referenced by the driver object and applies to both the Subscriber and the Publisher channel. The purpose of the Schema Mapping policy is to map schema names (particularly attribute names and class names) between the Identity Vault and the Oracle User database table (idmusrmgt.idm_events). Any modification or removal of existing entries in the Schema Mapping policy could destroy the default configuration and policies processing behavior. Adding new attribute mappings is discretionary.

Table 7‐1, Table 7‐2, and Table 7‐3 contain default mappings between the Oracle EBS user attributes for User Management, HR, and TCA modules and the Identity Vault attributes.

Table 7-1 Oracle User Management Attributes and the Identity Vault Attributes

Identity Vault Attribute Oracle User Management Attribute

User inetOrgPerson

CN USER_NAME

Description DESCRIPTION

Facsimile Telephone Number FAX

Internet EMail Address EMAIL_ADDRESS

Surname Mapped as default password if the password is not specified for the user.

Login Expiration Time END_DATE

loginActivationTime START_DATE

Password Expiration Interval PASSWORD_LIFESPAN_DAYS

IMPORTANT: If the Password Expiration field is set to Accesses in the Oracle EBS system, the password expiration interval is turned off. The Identity Vault does not have a corresponding attribute for Accesses; therefore, the driver fails to synchronize the password expiration changes with the Identity Vault. However, the changes are successfully synchronized if the password expiration interval is set to number of days.

Login Disabled LOGIN_DISABLED

DirXML-ebsPersonId EMPLOYEE_ID

Schema Mapping 37

Table 7-2 Oracle HR Attributes and the Identity Vault Attributes

Table 7-3 Oracle TCA Attributes and the Identity Vault Attributes

Identity Vault Attribute Oracle HR Attribute

User inetOrgPerson

Internet EMail Address P_EMAIL_ADDRESS

Surname P_LAST_NAME

Given Name P_FIRST_NAME

mailstop P_MAILSTOP

L P_INTERNAL_LOCATION

Initials P_MIDDLE_NAMES

DirXML-ebsGender P_SEX

Identity Vault Attribute Oracle TCA Attribute

User inetOrgPerson

CN USER_NAME

Description DESCRIPTION

Facsimile Telephone Number

FAX

Login Expiration Time END_DATE

loginActivationTime START_DATE

Password Expiration Interval PASSWORD_LIFESPAN_DAYS

Internet EMail Address TCA_EMAIL_ADDRESS

Login Disabled LOGIN_DISABLED

Surname TCA_PERSON_LAST_NAME

Given Name TCA_PERSON_FIRST_NAME

EMail Address EMAIL_ADDRESS

Initials TCA_PERSON_MIDDLE_NAME


A ADriver Properties

This section provides information about the Driver Configuration and Global Configuration Values properties for the Oracle EBS driver. These are the only unique properties for this driver. All other driver properties (Named Password, Engine Control Values, Log Level, and so forth) are common to all drivers. Refer to “Driver Properties” in the NetIQ Identity Manager 4.0.2 Common Driver Administration Guide for information about the common properties.

The information is presented from the viewpoint of iManager. If a field is different in Designer, it is marked with an icon.

Section A.1, “Driver Configuration,” on page 39Section A.2, “Global Configuration Values,” on page 43

A.1 Driver ConfigurationIn Designer:

1 Open a project in the Modeler.

2 Right‐click the driver icon or line, then select click Properties > Driver Configuration.

In iManager:

1 In iManager, click to display the Identity Manager Administration page. 2 Open the driver set that contains the driver whose properties you want to edit:

2a In the Administration list, click Identity Manager Overview.2b If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and

display the driver set.2c Click the driver set to open the Driver Set Overview page.

3 Locate the Oracle EBS driver icon, then click the upper right corner of the driver icon to display the Actions menu.

4 Click Edit Properties to display the driver’s properties page.By default, the properties page opens with the Driver Configuration tab displayed.

The Driver Configuration options are divided into the following sections:

Section A.1.1, “Driver Module,” on page 40Section A.1.2, “Driver Object Password,” on page 40Section A.1.3, “Authentication,” on page 40Section A.1.4, “Startup Option,” on page 41Section A.1.5, “Driver Parameters,” on page 41Section A.1.6, “Global Configurations,” on page 43

Driver Properties 39

https://www.netiq.com/documentation/idm402/pdfdoc/idm_common_driver/idm_common_driver.pdf#b94pq23



A.1.1 Driver ModuleThe driver module changes the driver from running locally to running remotely or the reverse.

Java: Used to specify the name of the Java class that is instantiated for the shim component of the driver. This class can be located in the classes directory as a class file, or in the lib directory as a .jar file. If this option is selected, the driver is running locally.

The name of the Java class for the User Management driver is: com.novell.nds.dirxml.driver.ebs.user.EBSUserDriver

The name of the Java class is for the HR driver is: com.novell.nds.dirxml.driver.ebs.hr.EBSHRDriver

The name of the Java class for the TCA driver is: com.novell.nds.dirxml.driver.ebs.tca.EBSTCADriver

Native: This option is not used with the Oracle drivers.

Connect to Remote Loader: Used when the driver is connecting remotely to the Oracle EBS system. Designer includes two suboptions:

Remote Loader Client Configuration for Documentation: Includes information on the Remote Loader client configuration when Designer generates documentation for the Oracle User driver.Driver Object Password: Specifies a password for the Driver object. If you are using the Remote Loader, you must enter a password on this page. Otherwise, the remote driver does not run. The Remote Loader uses this password to authenticate itself to the remote driver shim.

A.1.2 Driver Object Password Driver Object Password: Use this option to set a password for the driver object. If you are using the Remote Loader, you must enter a password on this page or the remote driver does not run. This password is used by the Remote Loader to authenticate itself to the remote driver shim.

A.1.3 AuthenticationThe authentication section stores the information required to authenticate to the Oracle EBS system.

Authentication ID: Specify an Oracle account that the driver can use to authenticate to the Oracle system.

For example:

For all drivers (User Management, HR, or TCA), assign System Administrator responsibility to the user.

Authentication Context: Specify the IP address or name of the Oracle EBS server the driver should communicate with. For example, http://myoracleserver.com:8000/webservices/SOAProvider/plsql/idm_driver_s/.

Remote Loader Connection Parameters: Used only if the driver is connecting to the application through the Remote Loader. The parameter to enter is hostname=xxx.xxx.xxx.xxx port=xxxx kmo=certificatename, when the hostname is the IP address of the application server running the Remote Loader server and the port is the port the Remote Loader is listening on. The default port for the Remote Loader is 8090.

The kmo entry is optional. It is only used when there is an SSL connection between the Remote Loader and the Identity Manager engine.


Example: hostname=10.0.0.1 port=8090 kmo=IDMCertificate

Application Password: Specify the password for the user object listed in the Authentication ID field.

Remote Loader Password: Used only if the driver is connecting to the application through the Remote Loader. The password is used to control access to the Remote Loader instance. It must be the same password specified during the configuration of the Remote Loader on the Oracle EBS system.

Driver Cache Limit (KB): Specify the maximum event cache file size (in KB). If it is set to zero, the file size is unlimited. Click Unlimited to set the file size to unlimited in Designer.

A.1.4 Startup OptionThe Startup Option allows you to set the driver state when the Identity Manager server is started.

Auto start: The driver starts every time the Identity Manager server is started.

Manual: The driver does not start when the Identity Manager server is started. The driver must be started through Designer or iManager.

Disabled: The driver has a cache file that stores all of the events. When the driver is set to Disabled, this file is deleted and no new events are stored in the file until the driver state is changed to Manual or Auto Start.

Do not automatically synchronize the driver: This option only applies if the driver is deployed and was previously disabled. If this is not selected, the driver re‐synchronizes the next time it is started.

A.1.5 Driver ParametersThe Driver Parameters section lets you configure the driver‐specific parameters. When you change driver parameters, you tune driver behavior to align with your network environment.

The parameters are presented by category:

“Subscriber Options” on page 41“Publisher Options” on page 42

Subscriber OptionsSubscriber Channel Enabled: By default, the Subscriber channel is enabled. This means that the events are synchronized from the Identity Manager to the Oracle EBS system. Fill the following fields for the Subscriber options:

Use SSL: By default, the SSL connection is enabled to secure communication between the driver and the Oracle EBS server. Specify No to not use SSL. For more information, see Chapter 4, “Securing Communication,” on page 27.

If you use SSL, fill in the following parameters:

Truststore File: Specifies the name and path of the keystore file containing the trusted certificates used when the remote server is configured to provide server authentication. For example, c:\security\truststore. Leave this field empty when server authentication is not used.


Set Mutual Authentication Parameters: Specify Yes to set mutual authentication information. Specify No to not use mutual authentication.

Keystore File: Specify the path and the name of the keystore file that contains the trusted certificates for the remote server to provide mutual authentication. For example, C:\security\keystore. Leave this field blank when mutual authentication is not used.Keystore Password: Specify the password for the keystore file. Leave this field blank when mutual authentication is not used.

Use Proxy: Specify Yes if you want to use the proxy connection. Specify No to not use proxy.

Proxy Host and Port: Specify the host address and the host port when a proxy host and port are used. For example: 192.10.1.3:18180.

Or, if a proxy host and port are not used, leave this field empty. Proxy Username: Specify a name for the proxy connection.Proxy Password: Specify a password for the proxy connection.

HTTP Errors to Retry: The HTTP error codes that return a retry status. The list of integers is separated by spaces. The error codes are: 307 404 408 503 504.

Publisher OptionsPublisher Channel Enabled: By default, the Publisher channel is enabled. The events are synchronized from the Oracle EBS system to Identity Manager. Fill the following fields for the Publisher options:

Listening IP Address and Port: Specifies the IP address of the server where the Oracle EBS driver is installed and the port number that this driver listens on.

Choose an unused port number on your server. For example: 192.168.10.1:18180. The driver listens on this address for incoming requests, processes the requests, and returns a result. Leave this field blank when the Publisher channel is not active.

Authentication ID: Specify the Authentication ID that the driver will use to validate the Publisher events from the Oracle EBS system. It is communicated to the Oracle EBS system when the driver is started. The driver uses it to determine which events it should ignore. For example, it ignores events from the unauthorized connected systems.

Authentication Password: Specify the authentication password that the driver will use to validate the Publisher events from the Oracle EBS system. It is communicated to the Oracle EBS system when the driver is started.

If you need to clear the password, select Remove existing password, then click Apply.

Server Key Alias: When this server is configured to accept HTTPS connections, this is the key alias. Leave this field blank when a KMO name is used or when HTTPS connections are not used.

Server Key Password: When this server is configured to accept HTTPS connections, this is the key alias password (not the keystore password). Leave this field blank when a KMO name is used or when HTTPS connections are not used.

Use SSL: By default, the SSL connection is used for secure communication between the Oracle drivers and the Oracle EBS server. Specify No to not use SSL. For more information, see Chapter 4, “Securing Communication,” on page 27.

When SSL is used, fill the following parameters:


Select Certificate Store Mode: There are two options: KMO and Keystore. Select KMO if you are using eDirectory KMO for secure connection. Select Keystore to use the Java Keystore.

KMO Name: If you select KMO for the secure connection, specify the KMO name to be used in eDirectory.

When the server is configured to accept HTTPS connections, this name becomes the KMO name in the Identity Vault. The KMO name is the name before the “‐” (dash) in the RDN.

Leave this field empty when a keystore file is used or when HTTPS connections are not used.

Keystore File: If Keystore option is used for the secure connection, this field specifies the keystore name and path to the keystore file. This file is used when the server is configured to accept HTTPS connections.

Leave this field empty when a KMO name is used or when HTTPS connections are not used.

Keystore Password: Specifies the keystore file password used with the Keystore File field when this server is configured to accept HTTPS connections.


Server Key Alias: Specifies a Server key alias when this server is configured to accept HTTPS connections.


Server Key Password: When this server is configured to accept HTTPS connections, this is the key alias password (not the keystore password). Leave this field empty when a KMO name is used or when HTTPS connections are not used.

Require Mutual Authentication: When using SSL, it is common to do only server authentication. However, if you want to force both client and server to present certificates during the handshake process, mutual authentication is required.

Polling Interval in Seconds: Specifies how often the Publisher channel polls for unprocessed events. Leave this field blank to turn off the polling. The default value is 60 seconds.

Heartbeat Interval in Minutes: Configures the driver shim to send a periodic status message on the Publisher channel when there has been no Publisher traffic for the given number of minutes. Leave this field empty to turn off the heartbeat. The default value is 1 minute.

A.1.6 Global ConfigurationsDisplays an ordered list of Global Configuration objects. The objects contain extension GCV definitions for the driver that Identity Manager loads when the driver is started. You can add or remove the Global Configuration objects, and you can change the order in which the objects are executed.

A.2 Global Configuration ValuesGlobal configuration values (GCVs) are values that can be used by the driver to control functionality. GCVs are defined on the driver or on the driver set. Driver set GCVs can be used by all drivers in the driver set. Driver GCVs can be used only by the driver on which they are defined.

The Oracle User Management driver includes several predefined GCVs. You can also add your own if you discover you need additional ones as you implement policies in the driver.


To access the driver’s GCVs in iManager:

1 Click to display the Identity Manager Administration page. 2 Open the driver set that contains the driver whose properties you want to edit.

2a In the Administration list, click Identity Manager Overview.2b If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and

display the driver set.2c Click the driver set to open the Driver Set Overview page.

3 Locate the driver icon, click the upper right corner of the driver icon to display the Actions menu, then click Edit Properties.orTo add a GCV to the driver set, click Driver Set, then click Edit Driver Set properties.

To access the driver’s GCVs in Designer:

1 Open a project in the Modeler.

2 Right‐click the driver icon or line, then select Properties > Global Configuration Values. or

To add a GCV to the driver set, right‐click the driver set icon , then click Properties > GCVs.

The GCVs are divided into the following categories:

Section A.2.1, “Password Synchronization,” on page 44Section A.2.2, “(Conditional) Default Configuration,” on page 45Section A.2.3, “Entitlements,” on page 45Section A.2.4, “Account Tracking,” on page 48Section A.2.5, “Managed System Information,” on page 48

IMPORTANT: The HR driver synchronizes employee information; therefore, Account Tracking and Password Synchronization GCVs do not apply to this driver.

A.2.1 Password SynchronizationThese GCVs enable password synchronization between the Identity Vault and the Oracle EBS system.

In Designer, you must click the icon next to a GCV to edit it. This displays the Password Synchronization Options dialog box for a better view of the relationship between the different GCVs.

In iManager, you should edit the Password Management Options on the Server Variables tab rather than under the GCVs. The Server Variables page has a better view of the relationship between the different GCVs.

For more information about how to use the Password Management GCVs, see “Configuring Password Flow” in the Identity Manager 4.0.2 Password Management Guide.

Oracle EBS Userʹs Default password: Specify the default password for the Oracle EBS users. The minimum length of the password should be more than 5 characters. If the user password is empty or contains less than 5 characters, the default password is set.


https://www.netiq.com/documentation/idm402/pdfdoc/idm_password_management/idm_password_management.pdf#bnwjt01

https://www.netiq.com/documentation/idm402/pdfdoc/idm_password_management/idm_password_management.pdf#bnwjt01

https://www.netiq.com/documentation/idm402/pdfdoc/idm_password_management/idm_password_management.pdf#Front

Application accepts passwords from Identity Manager: If True, allows passwords to flow from the Identity Manager data store to the Oracle EBS system.

Identity Manager accepts passwords from application: If True, allows passwords to flow from the Oracle EBS system to the Identity Manager.

Publish passwords to NDS password: Use the password from the Oracle EBS system to set the non‐reversible NDS password in the Identity Vault.

Publish passwords to Distribution Password: Use the password from the Oracle EBS system to set the NMAS Distribution Password used for Identity Manager password synchronization.

Require password policy validation before publishing passwords: If True, applies NMAS password policies during publish password operations. The password is not written to the data store if it does not comply.

Reset user’s external system password to the Identity Manager password on failure: If True, on a publish Distribution Password failure, attempt to reset the password in the Oracle EBS system by using the Distribution Password from the Identity Manager data store.

Notify the user of password synchronization failure via e‐mail: If True, notify the user by e‐mail of any password synchronization failures.

A.2.2 (Conditional) Default Configuration Set Oracle EBS HR As Authoritative Data Source: Select True if you don’t want to synchronize add and delete operations on the Subscriber channel. All other operations including modify are synchronized. By default, False is selected.

A.2.3 EntitlementsThere are multiple sections in the Entitlements tab. Depending on which packages you installed, different options are enabled or displayed.

“Entitlements Options for User Management and TCA Drivers” on page 45“Data Collection Options for User Management and TCA Drivers” on page 46“Role Mapping Options for User Management and TCA Drivers” on page 46“Resource Mapping Options for User Management and TCA Drivers” on page 46“Entitlements Options for the HR Driver” on page 47“Data Collection Options for the HR Driver” on page 47“Role Mapping Options for the HR Driver” on page 47“Resource Mapping Options for the HR Driver” on page 47“Entitlement Extensions” on page 47

Entitlements Options for User Management and TCA Drivers(User Management and TCA drivers) Use User Account Entitlement: Select True to enable the driver to manage user accounts based on the driver’s defined entitlements. Select False to disable management of user accounts based on the entitlements.

Enable Login Disabled Attribute Sync: Select Yes if the changes made to the LoginDisabled attribute in the Identity Vault should be synchronized even if the User Account entitlement (Account) is enabled.


Account Action on Entitlement Revoke?: Select the action to take when a user account entitlement is revoked. The options are Disable User or Do Nothing. By default, Disable User is selected.

Use Role Entitlement: Enables the Role entitlement that is included with the driver. Select True to enable this entitlement.

Use Responsibility Entitlement: Enables the Responsibility entitlement that is included with the driver. Select True to enable this entitlement.

Advanced Settings: Select Show to display the entitlement options that allow or deny additional functionality like data collection and others. These settings should rarely be changed.

Data Collection Options for User Management and TCA DriversData collection enables the Identity Report Module to gather information to generate reports. For more information, see the Identity Reporting Module Guide.

Enable data collection: Select Yes to enable data collection for the driver through the Data Collection Service by the Managed System Gateway driver. If you are not going to run reports on data collected by this driver, select No.

Allow data collection from user accounts: If Yes, it allows data collection by the Data Collection Service for the user accounts.

Allow data collection from roles: If Yes, it allows data collection by the Data Collection Service for roles.

Allow data collection from resources: If Yes, it allows data collection by the Data Collection Service for responsibilities.

Role Mapping Options for User Management and TCA DriversThe Role Mapping Administrator allows you to map business roles with IT roles. For more information, see the Novell Identity Manager Role Mapping Administrator 4.0.2 User Guide.

Enable role mapping: If Yes, the driver is visible to the Role Mapping Administrator.

Allow mapping of user accounts: If Yes, it allows mapping of user accounts in the Role Mapping Administrator. An account is required before a role or responsibility can be granted to it through the Role Mapping Administrator.

Allow mapping of roles: If Yes, it allows mapping of groups in the Role Mapping Administrator.

Allow mapping of responsibilities: If Yes, it allows mapping of responsibilities in the Role Mapping Administrator.

Resource Mapping Options for User Management and TCA DriversThe Roles Based Provisioning Module allows you to map resources to users. For more information, see the User Application: User Guide.

Enables resource mapping: If Yes, the driver is visible to the Roles Based Provisioning Module.

Allow mapping of user accounts: If Yes, it allows mapping of user accounts in the Roles Based Provisioning Module. An account is required before a role or responsibility can be granted to it.

Allow mapping of roles: If Yes, it allows mapping of roles in the Roles Based Provisioning Module.



https://www.netiq.com/documentation/idm402/pdfdoc/role_mapping_user/role_mapping_user.pdf#bookinfo

https://www.netiq.com/documentation/idm402/pdfdoc/ugpro/ugpro.pdf#front

Allow mapping of responsibilities: If Yes, it allows mapping of responsibilities in the Roles Based Provisioning Module.

Entitlements Options for the HR DriverUse Employee Entitlements: Select True to enable the HR driver to manage employees based on the driver’s defined entitlements. Select False to disable employees based on the entitlements.

Action on Employee while Entitlement Revoke?: Select the action to take when an entitlement is revoked for an employee. The options are Delete User or Do Nothing. By default, Delete User is selected.

Format for Employee entitlement: Specifies the parameter format that the entitlement agent uses when granting this entitlement. The options are Identity Manager 4 or Legacy.

Data Collection Options for the HR DriverData collection enables the Identity Report Module to gather information to generate reports. For more information, see the Identity Reporting Module Guide.

Enable data collection: Select Yes to enable data collection for the driver through the Data Collection Service by the Managed System Gateway driver. If you are not going to run reports on data collected by this driver, select No.

Allow data collection from employees: If Yes, it allows data collection by the Data Collection Service for employees.

Role Mapping Options for the HR DriverThe Role Mapping Administrator allows you to map business roles with IT roles. For more information, see the Novell Identity Manager Role Mapping Administrator 4.0.2 User Guide.

Enable role mapping: If Yes, the driver is visible to the Role Mapping Administrator.

Allow mapping of employees: If Yes, it allows mapping of employees in the Role Mapping Administrator.

Resource Mapping Options for the HR DriverThe Roles Based Provisioning Module allows you to map resources to employees. For more information, see the User Application: User Guide.

Enables resource mapping: If Yes, the driver is visible to the Roles Based Provisioning Module.

Allow mapping of employees: If Yes, it allows mapping of employees in the Roles Based Provisioning Module.

Entitlement ExtensionsUser account extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

Role extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.


https://www.netiq.com/documentation/idm402/pdfdoc/role_mapping_user/role_mapping_user.pdf#bookinfo

https://www.netiq.com/documentation/idm402/pdfdoc/ugpro/ugpro.pdf#front


Resource extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

A.2.4 Account TrackingAccount tracking is part of the Identity Reporting Module. For more information, see the Identity Reporting Module Guide.

Enable account tracking: Set this to True to enable account tracking policies. Set it to False if you do not want to execute account tracking policies.

Realm: Specify the name of the realm, security domain, or namespace in which the account name is unique. You must set the Realm to the Oracle EBS Domain Name.

Object Class: Adds the object class to track. Class names must be in the application namespace.

Identifiers: Adds the account identifier attributes. Attribute names must be in the application namespace.

Status attribute: Is the name of the attribute in the application namespace to represent the account status.

Status active value: Is the value of the status attribute that represents an active state.

Status inactive value: Is the value of the status attribute that represents an inactive state.

Subscription default status: Specifies the default status that the policies assume when an object is subscribed to the application and the status attribute is not set in the Identity Vault.

Publication default status: Specifies the default status that the policies assume when an object is published to the Identity Vault and the status attribute is not set in the application.

A.2.5 Managed System InformationThese settings help the Identity Reporting Module function to generate reports. There are different sections in the Managed System Information tab.

“General Information” on page 48“System Ownership” on page 49“System Classification” on page 49“Connection and Miscellaneous Information” on page 49

General InformationName: Specify a descriptive name for the managed system.

Description: Specify a brief description of the managed system.

Location: Specify the physical location of the managed system.

Vendor: Specify Oracle as the vendor of the managed system.

Version: Specify the version of the managed system.




System OwnershipBusiness Owner: Browse to and select the business owner in the Identity Vault for the Oracle EBS system. You must select a user object, not a role, group, or container.

Application Owner: Browse to and select the application owner in the Identity Vault for the the Oracle EBS system. You must select a user object, not a role, group, or container.

System ClassificationClassification: Select the classification of the Oracle EBS system. This information is displayed in the reports. The options are:

Mission‐CriticalVitalNot‐CriticalOtherIf you select Other, you must specify a custom classification for the Oracle EBS system.

Environment: Select the type of environment the Oracle EBS system provides. The options are:

DevelopmentTestStagingProductionOtherIf you select Other, you must specify a custom classification for the Oracle EBS system

Connection and Miscellaneous InformationConnection and miscellaneous information: This set of options is always set to hide, so that you don’t make changes to these options. These options are system options that are necessary for reporting to work.


B BTrace Levels

The driver supports the following trace levels:

Table B-1 Supported Trace Levels

For information about setting driver trace levels, see “Viewing Identity Manager Processes” in the NetIQ Identity Manager 4.0.2 Common Driver Administration Guide.

Oracle EBS Trace and Logging You can enable trace and logging in the Oracle User Management, HR, or TCA modules. For example, to enable trace in the User Management module,

1 Log in to the Oracle EBS system with an administrator role.2 Go to System Administrator > Security:User > Define window.3 Click Help > Diagnostics > Trace, then select one of the following options:

No TraceRegular TraceTrace with BindsTrace with WaitsTrace with Binds and Waits PL/SQL Profiling

To disable the trace, click No Trace.

To enable logging in the User Management module,

1 Log in to the Oracle EBS system with an administrator role.2 Go to System Administrator > Security:User > Define window.3 Click Help > Diagnostics > Logging > Preferences.

Level Description

0 No debugging

1-3 Identity Manager messages. Higher trace levels provide more detail.

4 Previous level plus Remote Loader, driver, driver shim, and driver connection messages, driver parameters, driver security, driver schema, request and response XML.

Trace Levels 51



A screen like this appears:


Identity Manager 4.0.2 Oracle E-Business Suite Driver ...

Documents

Transcript of Identity Manager 4.0.2 Oracle E-Business Suite Driver ...